Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A device comprising: a processor; and a computer-readable medium storing instructions which, when executed by the processor, cause the processor to perform operations, the operations comprising: receiving network traffic from a demultiplexer via a first network interface card; placing portions of the network traffic into a plurality of hash buckets in a memory; processing a first portion of the portions of the network traffic in at least a first number of hash buckets of the plurality of hash buckets, wherein the device is configured with a maximum number of hash buckets to process, wherein the maximum number of hash buckets to process is less than a physical processing capability of the device; and forwarding a second portion of the portions of the network traffic in at least a second number of hash buckets of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum number of hash buckets of the device, wherein the switch distributes the second portion of the portions of the network traffic to at least one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
2. The device of claim 1 , wherein the demultiplexer receives the network traffic from a tap for copying the network traffic from a link in a communication network.
A network traffic monitoring device includes a demultiplexer that receives network traffic from a tap, which copies the traffic from a link in a communication network. The demultiplexer processes the copied traffic to separate it into multiple data streams for further analysis or forwarding. The device may also include a processor that analyzes the demultiplexed traffic to detect anomalies, enforce security policies, or monitor network performance. The tap is positioned at a network link to passively capture traffic without disrupting network operations. The demultiplexer ensures that the copied traffic is distributed efficiently to different processing modules or storage systems. This setup allows for real-time or near-real-time monitoring of network activity, enabling early detection of threats, performance bottlenecks, or policy violations. The device may also include interfaces for integrating with external systems, such as security appliances or network management tools, to enhance monitoring capabilities. The overall system provides a scalable solution for network traffic analysis, supporting high-speed networks with minimal latency.
3. The device of claim 2 , wherein the link comprises at least a 40 gigabits per second link, and wherein the network traffic is received from the demultiplexer at less or equal to 20 gigabits per second.
4. The device of claim 2 , wherein the device comprises one of a plurality of devices to receive different network traffic from the link via the demultiplexer.
5. The device of claim 1 , wherein the maximum number of hash buckets is selected based upon a number of overflow probes of the plurality of overflow probes that are available.
A system for managing data storage in a hash-based data structure, such as a hash table, addresses inefficiencies in handling collisions and overflow conditions. The system dynamically adjusts the number of hash buckets to optimize performance and reduce memory overhead. When collisions occur, the system uses a plurality of overflow probes to resolve them, ensuring data integrity and access efficiency. The maximum number of hash buckets is determined based on the available overflow probes, balancing storage capacity with computational overhead. This approach prevents excessive probing while maintaining fast lookup times. The system may also include mechanisms for redistributing data when the number of buckets is adjusted, ensuring minimal disruption to ongoing operations. By dynamically scaling the hash table structure, the system improves adaptability to varying workloads and data distributions, reducing the need for manual tuning or static configurations. This method enhances both performance and resource utilization in systems relying on hash-based data storage.
6. The device of claim 5 , wherein when the number of overflow probes of the plurality of overflow probes that are available increases, the maximum number of hash buckets is decreased.
7. The device of claim 5 , wherein the maximum number of hash buckets is not permitted to exceed the number of hash buckets in the plurality of hash buckets.
8. The device of claim 1 , wherein the placing the portions of the network traffic into the plurality of hash buckets comprises hash load balancing based upon internet protocol address information of the network traffic.
9. The device of claim 8 , wherein the hash load balancing is further based upon sub-internet protocol address information.
A system for network traffic management improves load balancing by distributing data packets across multiple processing nodes using hash-based algorithms. The system addresses inefficiencies in traditional load balancing methods, which often fail to account for fine-grained network characteristics, leading to uneven traffic distribution and performance bottlenecks. The invention enhances load balancing by incorporating sub-internet protocol (IP) address information, such as subnet masks or specific address ranges, into the hash function. This allows the system to distribute traffic more intelligently, ensuring that packets with similar sub-IP attributes are routed to the same processing node, reducing unnecessary data fragmentation and improving consistency in handling related network flows. The system may also integrate additional factors like packet headers, timestamps, or application-layer metadata to further refine load distribution. By dynamically adjusting the hash function based on real-time network conditions, the system optimizes resource utilization and minimizes latency, particularly in high-traffic environments like data centers or cloud computing platforms. The invention is applicable to routers, switches, and other network devices that require efficient traffic management.
10. The device of claim 9 , wherein the sub-internet protocol address information comprises: port numbers of the network traffic; packet sizes of the network traffic; datagram sizes of the network traffic; or content types of the network traffic.
This invention relates to network traffic analysis and classification, specifically improving the identification and handling of network traffic based on sub-internet protocol (sub-IP) address information. The problem addressed is the need for more granular and accurate traffic classification beyond traditional IP address-based methods, which often lack detail for modern network security, monitoring, and optimization. The device includes a network traffic analyzer that processes incoming network traffic to extract sub-IP address information, which provides deeper insights into traffic characteristics. This information includes port numbers, packet sizes, datagram sizes, and content types of the network traffic. By analyzing these parameters, the device can classify traffic more precisely, enabling better security filtering, quality of service (QoS) management, and traffic shaping. The extracted sub-IP data is used to generate a traffic profile, which can be compared against known patterns to identify anomalies, malicious activity, or performance bottlenecks. The device may also include a controller that adjusts network policies or routing decisions based on the analyzed traffic, ensuring efficient and secure network operations. This approach enhances traditional IP-based methods by incorporating additional layers of traffic metadata, improving accuracy and adaptability in dynamic network environments.
11. The device of claim 1 , wherein the processing the first portion of the portions of the network traffic comprises: storing packets of the first portion of the portions of the network traffic; generating aggregate link utilization information for a link from which the network traffic is copied; or scanning the first portion of the portions of the network traffic for security issues.
12. The device of claim 1 , wherein the processing the second portion of the portions of the network traffic comprises: storing packets of the second portion of the portions of the network traffic; generating aggregate link utilization information for a link from which the network traffic is copied; or scanning the second portion of the portions of the network traffic for security issues.
13. A non-transitory computer-readable medium storing instructions which, when executed by a processor of a server deployed in a communication network, cause the processor to perform operations, the operations comprising: receiving network traffic from a demultiplexer via a first network interface card; placing portions of the network traffic into a plurality of hash buckets in a memory; processing a first portion of the portions of the network traffic in at least a first number of hash buckets of the plurality of hash buckets, wherein the server is configured with a maximum number of hash buckets to process, wherein the maximum number of hash buckets to process is less than a physical processing capability of the device; and forwarding a second portion of the portions of the network traffic in at least a second number of hash buckets of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum number of hash buckets of the device, wherein the switch distributes the second portion of the portions of the network traffic to at least one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
14. The non-transitory computer-readable medium of claim 13 , wherein the demultiplexer receives the network traffic from a tap for copying the network traffic from a link in a communication network.
15. The non-transitory computer-readable medium of claim 14 , wherein the link comprises at least a 40 gigabits per second link, and wherein the network traffic is received from the demultiplexer at less or equal to 20 gigabits per second.
This invention relates to high-speed data transmission systems, specifically addressing the challenge of efficiently managing network traffic in high-bandwidth environments. The system includes a non-transitory computer-readable medium storing instructions for processing network traffic. The instructions configure a processor to receive network traffic from a demultiplexer via a high-speed link, where the link operates at a minimum of 40 gigabits per second (Gbps). The received network traffic is constrained to a maximum rate of 20 Gbps or less. The demultiplexer is responsible for separating incoming data streams into distinct channels or flows, enabling efficient routing and processing. The system ensures that the high-speed link is utilized effectively while maintaining manageable traffic loads to prevent congestion and optimize performance. This approach is particularly useful in data centers, telecommunications networks, and other environments requiring high-throughput, low-latency data transmission. The invention focuses on balancing link capacity with traffic volume to enhance network reliability and scalability.
16. The non-transitory computer-readable medium of claim 14 , wherein the server comprises one of a plurality of devices to receive different network traffic from the link via the demultiplexer.
17. The non-transitory computer-readable medium of claim 13 , wherein the maximum number of hash buckets is selected based upon a number of overflow probes of the plurality of overflow probes that are available.
18. The non-transitory computer-readable medium of claim 17 , wherein when the number of overflow probes of the plurality of overflow probes that are available increases, the maximum number of hash buckets is decreased.
19. The non-transitory computer-readable medium of claim 17 , wherein the maximum number of hash buckets is not permitted to exceed the number of hash buckets in the plurality of hash buckets.
20. A method comprising: receiving, by a processor deployed in a communication network, network traffic from a demultiplexer via a first network interface card; placing, by the processor, portions of the network traffic into a plurality of hash buckets in a memory; processing, by the processor, a first portion of the portions of the network traffic in at least a first number of hash buckets of the plurality of hash buckets, wherein the processor is configured with a maximum number of hash buckets to process, wherein the maximum number of hash buckets to process is less than a physical processing capability of the processor; and forwarding, by the processor, a second portion of the portions of the network traffic in at least a second number of hash buckets of the plurality of hash buckets to a switch via a second network interface card, wherein the second portion of the portions of the network traffic comprises an overflow of the network traffic that is in excess of the maximum number of hash buckets to process of the processor, wherein the switch distributes the second portion of the portions of the network traffic to at least one of a plurality of overflow probes, wherein the plurality of overflow probes comprises a network function virtualization infrastructure for processing the second portion of the portions of the network traffic.
Unknown
February 16, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.